0

I want to make a set of rules, where it would only accept read and writes from a specified URL.

Example, when some code is trying to access my database, it would only let it access it if the domain was something like https://myProject.theHostDomain.com

I have looked up questions made by other people, and it seems confusing on the topic of the Google Firebase Realtime Database Security Rules. I can only think of one way to make my database secured, and that is by the domain of the website.

maybe something like:

{
   "rules": {
      ".read": "$url === https://myProject.theHostDomain.com/",
      ".write": "$url === https://myProject.theHostDomain.com/"
   }
}

I want to secure my database, because my database contains usernames, emails, passwords, and other private information my users will be having. I am hoping that has a solution, and I don't have to result to looking on about how to secure a database read and write rules from a specified url. Yes, I get that they can use the console in inspect element, but I can deal with that later.

Doug Stevenson
  • 297,357
  • 32
  • 422
  • 441
Stanlyhalo
  • 29
  • 7

1 Answers1

0

It's not possible to restrict access to Firebase resources (Realtime Database, Cloud Firestore, Cloud Storage) that originate from a certain web site or location on the internet. In general, the web does not facilitate the reporting of secure origin site verification. There are "referer" headers, but those are easily spoofed.

You should instead by using Firebase Authentication to sign in users, then protect content that only that particular user should be able to access.

Doug Stevenson
  • 297,357
  • 32
  • 422
  • 441
  • Okay, well, I'm not using Firebase Authentication, I'm making my database hold all the information. – Stanlyhalo May 01 '19 at 04:26
  • Without Firebase Auth, you will have a hard time preventing the internet at large from reading and writing all the information in your database. – Doug Stevenson May 01 '19 at 04:28